Here’s the PG&E treatment for a web session time out:

What I don’t like is that this is being done in a layer and the main page is still visible behind the layer. The main reasons the site is doing a session timeout is for the user’s security and privacy. With this treatment, the privacy aspect is not protected at all. Any new user who shows up to the computer, can see what the previous user was doing behind the layer. In terms of security, while the layer may protect any new malicious users from going into the original user’s account, leaving behind access to the original user’s account number is a security hole.

A better way to do it is to paint a new “timeout” page:

Or in the case of Bank of America, paint an interstitial temporary “you are about to timeout” page. Then redirect the user to the home page.